From 638fc9ce2cfdd2e8395471d974ec0d28d1b9064c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 6 Dec 2009 16:23:11 +0000 Subject: Make the libk5crypto hash_provider interface take crypto_iov lists instead of lists of krb5_data. Make the base HMAC APIs take crypto_iov lists and drop the _iov variants. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23450 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/crypto/builtin/hmac.c | 186 +++++++++++++----------------------------- 1 file changed, 56 insertions(+), 130 deletions(-) (limited to 'src/lib/crypto/builtin/hmac.c') diff --git a/src/lib/crypto/builtin/hmac.c b/src/lib/crypto/builtin/hmac.c index 7d1f244..19ed2ef 100644 --- a/src/lib/crypto/builtin/hmac.c +++ b/src/lib/crypto/builtin/hmac.c @@ -30,17 +30,14 @@ /* * Because our built-in HMAC implementation doesn't need to invoke any - * encryption or keyed hash functions, it is simplest to define it in - * terms of keyblocks, and then supply a simple wrapper for the - * "normal" krb5_key-using interfaces. The keyblock interfaces are - * useful for the built-in arcfour code which constructs a lot of - * intermediate HMAC keys. For other back ends, it should not be - * necessary to supply the _keyblock versions of the hmac functions if - * the back end code doesn't make use of them. + * encryption or keyed hash functions, it is simplest to define it in terms of + * keyblocks, and then supply a simple wrapper for the "normal" krb5_key-using + * interfaces. The keyblock interfaces are useful for code which creates + * intermediate keyblocks. */ /* - * the HMAC transform looks like: + * The HMAC transform looks like: * * H(K XOR opad, H(K XOR ipad, text)) * @@ -53,143 +50,72 @@ krb5_error_code krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, - const krb5_keyblock *key, unsigned int icount, - const krb5_data *input, krb5_data *output) + const krb5_keyblock *keyblock, + const krb5_crypto_iov *data, size_t num_data, + krb5_data *output) { - size_t hashsize, blocksize; - unsigned char *xorkey, *ihash; + unsigned char *xorkey = NULL, *ihash = NULL; unsigned int i; - krb5_data *hashin, hashout; + krb5_crypto_iov *ihash_iov, ohash_iov[2]; + krb5_data hashout; krb5_error_code ret; - hashsize = hash->hashsize; - blocksize = hash->blocksize; + if (keyblock->length > hash->blocksize) + return KRB5_CRYPTO_INTERNAL; + if (output->length < hash->hashsize) + return KRB5_BAD_MSIZE; - if (key->length > blocksize) - return(KRB5_CRYPTO_INTERNAL); - if (output->length < hashsize) - return(KRB5_BAD_MSIZE); - /* if this isn't > 0, then there won't be enough space in this - array to compute the outer hash */ - if (icount == 0) - return(KRB5_CRYPTO_INTERNAL); - - /* allocate space for the xor key, hash input vector, and inner hash */ - - if ((xorkey = (unsigned char *) malloc(blocksize)) == NULL) - return(ENOMEM); - if ((ihash = (unsigned char *) malloc(hashsize)) == NULL) { - free(xorkey); - return(ENOMEM); - } - if ((hashin = (krb5_data *)malloc(sizeof(krb5_data)*(icount+1))) == NULL) { - free(ihash); - free(xorkey); - return(ENOMEM); - } - - /* create the inner padded key */ - - memset(xorkey, 0x36, blocksize); - - for (i=0; ilength; i++) - xorkey[i] ^= key->contents[i]; - - /* compute the inner hash */ - - hashin[0].length = blocksize; - hashin[0].data = (char *) xorkey; - for (i=0; ihash))(icount+1, hashin, &hashout)))) + /* Allocate space for the xor key, hash input vector, and inner hash */ + xorkey = k5alloc(hash->blocksize, &ret); + if (xorkey == NULL) + goto cleanup; + ihash = k5alloc(hash->hashsize, &ret); + if (ihash == NULL) + goto cleanup; + ihash_iov = k5alloc((num_data + 1) * sizeof(krb5_crypto_iov), &ret); + if (ihash_iov == NULL) goto cleanup; - /* create the outer padded key */ - - memset(xorkey, 0x5c, blocksize); - - for (i=0; ilength; i++) - xorkey[i] ^= key->contents[i]; - - /* compute the outer hash */ - - hashin[0].length = blocksize; - hashin[0].data = (char *) xorkey; - hashin[1] = hashout; - - output->length = hashsize; + /* Create the inner padded key. */ + memset(xorkey, 0x36, hash->blocksize); + for (i = 0; i < keyblock->length; i++) + xorkey[i] ^= keyblock->contents[i]; + + /* Compute the inner hash over the inner key and input data. */ + ihash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA; + ihash_iov[0].data = make_data(xorkey, hash->blocksize); + memcpy(ihash_iov + 1, data, num_data * sizeof(krb5_crypto_iov)); + hashout = make_data(ihash, hash->hashsize); + ret = hash->hash(ihash_iov, num_data + 1, &hashout); + if (ret != 0) + goto cleanup; - if ((ret = ((*(hash->hash))(2, hashin, output)))) + /* Create the outer padded key. */ + memset(xorkey, 0x5c, hash->blocksize); + for (i = 0; i < keyblock->length; i++) + xorkey[i] ^= keyblock->contents[i]; + + /* Compute the outer hash over the outer key and inner hash value. */ + ohash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA; + ohash_iov[0].data = make_data(xorkey, hash->blocksize); + ohash_iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + ohash_iov[1].data = make_data(ihash, hash->hashsize); + output->length = hash->hashsize; + ret = hash->hash(ohash_iov, 2, output); + if (ret != 0) memset(output->data, 0, output->length); - /* ret is set correctly by the prior call */ - cleanup: - memset(xorkey, 0, blocksize); - memset(ihash, 0, hashsize); - - free(hashin); - free(ihash); - free(xorkey); - - return(ret); -} - -krb5_error_code -krb5int_hmac_iov_keyblock(const struct krb5_hash_provider *hash, - const krb5_keyblock *key, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) -{ - krb5_data *sign_data; - size_t num_sign_data; - krb5_error_code ret; - size_t i, j; - - /* Create a checksum over all the data to be signed */ - for (i = 0, num_sign_data = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (SIGN_IOV(iov)) - num_sign_data++; - } - - /* XXX cleanup to avoid alloc */ - sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data)); - if (sign_data == NULL) - return ENOMEM; - - for (i = 0, j = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (SIGN_IOV(iov)) - sign_data[j++] = iov->data; - } - - /* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */ - ret = krb5int_hmac_keyblock(hash, key, num_sign_data, sign_data, output); - - free(sign_data); - + zapfree(xorkey, hash->blocksize); + zapfree(ihash, hash->hashsize); + free(ihash_iov); return ret; } krb5_error_code krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key, - unsigned int icount, const krb5_data *input, krb5_data *output) -{ - return krb5int_hmac_keyblock(hash, &key->keyblock, icount, input, output); -} - -krb5_error_code -krb5int_hmac_iov(const struct krb5_hash_provider *hash, krb5_key key, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) + const krb5_crypto_iov *data, size_t num_data, + krb5_data *output) { - return krb5int_hmac_iov_keyblock(hash, &key->keyblock, data, num_data, - output); + return krb5int_hmac_keyblock(hash, &key->keyblock, data, num_data, output); } -- cgit v1.1